research-article

Code shredding: byte-granular randomization of program layout for detecting code-reuse attacks

Authors:

Yuhei Kawakoya,

Makoto Iwamura,

Takeo HariuAuthors Info & Claims

ACSAC '12: Proceedings of the 28th Annual Computer Security Applications Conference

Pages 309 - 318

https://doi.org/10.1145/2420950.2420996

Published: 03 December 2012 Publication History

Abstract

Code-reuse attacks by corrupting memory address pointers have been a major threat of software for many years. There have been numerous defenses proposed for countering this threat, but majority of them impose strict restrictions on software deployment such as requiring recompilation with a custom compiler, or causing integrity problems due to program modification. One notable exception is ASLR(address space layout randomization) which is a widespread defense free of such burdens, but is also known to be penetrated by a class of attacks that takes advantage of its coarse randomization granularity. Focusing on minimizing randomization granularity while also possessing these advantages of ASLR to the greatest extent, we propose a novel defensive approach called code shredding: a defensive scheme based on the idea of embedding the checksum value of a memory address as a part of itself. This simple yet effective approach hinders designation of specific address used in code-reuse attacks, by giving attackers an illusion of program code shredded into pieces at byte granularity and dispersed randomly over memory space. We show our design and implementation of a proof-of-concept prototype system for the Windows platform and the results from several experiments conducted to confirm its feasibility and performance overheads.

References

[1]

MSDN Library, "Windows ISV Software Security Defenses," http://msdn.microsoft.com/en-us/library/bb430720.aspx

[2]

Android Developers, "Android 4.0 Platform Highlights," http://developer.android.com/sdk/android-4.0-highlights.html

[3]

G. S. Kc, Angelos D. Keromytis, and V. Prevelakis, "Countering code-injection attacks with instruction-set randomization," in Proc. of the 10th ACM conference on Computer and communications security (CCS '03), 2003.

Digital Library

[4]

c0ntex, "Bypassing non-executable-stack during exploitation using return-to-libc", http://www.infosecwriters.com/text_resources/pdf/return-to-libc.pdf

[5]

H. Shacham, "The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86)," in Proc. of the 14th ACM Conference on Computer and Communications Security (CCS '07), 2007.

Digital Library

[6]

Phrack Magazine, "Bypassing PaX ASLR protection", http://www.phrack.com/issues.html?issue=59&id=9/

[7]

C. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood, "Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation," Programming Language Design and Implementation (PLDI '05), 2005.

Digital Library

[8]

M. Chew and D. Song, "Mitigating buffer overflows by operating system randomization," Technical Report CMU-CS-02-197, Carnegie Mellon University, Dec. 2002.

[9]

S. Forrest, A. Somayaji, and D. H. Ackley, "Building diverse computer systems," Workshop on Hot Topics in Operating Systems, 1997.

Digital Library

[10]

D. Williams et al. "Security through Diversity: Leveraging Virtual Machine Technology," IEEE Security and Privacy 7, 2009.

Digital Library

[11]

J. E. Just and M. Cornwell. "Review and analysis of synthetic diversity for breaking monocultures," in Proc. of the 2004 ACM workshop on Rapid malcode (WORM '04), 2004.

Digital Library

[12]

C. Wang, "Protection of software-based survivability schemes", Dependable Systems and Networks, 2001.

Digital Library

[13]

M. Franz, "E unibus pluram: massive-scale software diversity as a defense mechanism," in Proc. of the 2010 workshop on New security paradigms (NSPW '10), 2010.

Digital Library

[14]

H. Shacham, M. Page, B. Pfaff, E. Goh, N. Modadugu, and D. Boneh, "On the effectiveness of address-space randomization," in Proc. of the 11th ACM conference on Computer and communications security (CCS '04), 2004.

Digital Library

[15]

P. Philippaerts, Y. Younan, S. Muylle, F. Piessens, S. Lachmund, and T. Walter, "Code Pointer Masking: Hardening Applications against Code Injection Attacks," in Proc. of the 8th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA '11), 2011.

Digital Library

[16]

E. Lee and C. Zilles, "Branch-on-random," in Proc. of the 6th annual IEEE/ACM international symposium on Code generation and optimization (CGO '08), 2008.

Digital Library

[17]

C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, "StackGuard: Automatic detection and prevention of buffer-overflow attacks," in Proc. of the 7th USENIX Security Symposium(Security '98), 1998.

Digital Library

[18]

C. Cowan, S. Beattie, J. Johansen, and P. Wagle, "Pointguard: protecting pointers from buffer overflow vulnerabilities," in Proc. of the 12th USENIX Security Symposium(Security '03), 2003.

Digital Library

[19]

"Bzip2 for Windows," http://gnuwin32.sourceforge.net/packages/bzip2.htm

[20]

MSDN, "Dynamic-Link Librariesk," http://msdn.microsoft.com/en-us/library/windows/desktop/ms682589%28v=vs.85%29.aspx

[21]

Dionysus Blazakis, "Interpreter Exploitation: Pointer Inference and JIT Spraying," in BlackHat DC, 2010.

[22]

A. Skaletsky, T. Devor, N. Chachmon, R. Cohn, K. Hazelwood, V Vladimirov, and M. Bach, "Dynamic program analysis of Microsoft Windows applications," in Proc. of IEEE International Symposium on Performance Analysis of Systems & Software (ISPASS '10), 2010.

[23]

Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis, "Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization," in the Proc. of the 33rd IEEE Symposium on Security & Privacy (S&P '12), 2012.

Digital Library

[24]

L. Davi, A.-R. Sadeghi, and M. Winandy, "ROPdefender: A practical protection tool to protect against return-oriented programming," in Proc. of the 6th Symposium on Information, Computer and Communications Security (ASIACCS '11), 2011.

Digital Library

[25]

metasploit Exploit DB, "Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)", http://www.metasploit.com/modules/exploit/windows/email/ms07_017_ani_loadimage_chunksize

[26]

Bugzilla, "Mandatory ASLR on Windows for binary components," https://bugzilla.mozilla.org/show_bug.cgi?id=728429

[27]

Microsoft TechNet Blogs, "Introducing EMET v3," http://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx

[28]

PaX Team, "address space layout randomization," http://pax.grsecurity.net/docs/aslr.txt

[29]

S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy, "Return-oriented programming without returns," in Proc. of the 17th ACM conference on Computer and communications security (CCS '10), Oct 2010.

Digital Library

[30]

PaX Team, "vma mirroring," http://pax.grsecurity.net/docs/vmmirror.txt

[31]

P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie, "DROP: Detecting return-oriented programming malicious code," in Proc. of the 5th International Conference on Information Systems Security (ICISS '09), 2009.

Digital Library

[32]

B. Salamat, A. Gal, and M. Franz, "Reverse stack execution in a multi-variant execution environment," in Workshop on Compiler and Architectural Techniques for Application Reliability and Security(CATARS), 2008.

[33]

C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum, "Enhanced operating system security through efficient and fine-grained address space randomization," in Proc. of the 21st USENIX Security Symposium(Security '12), 2012.

Digital Library

[34]

R. Wartell, V. Mohan, K. W. Hamlen, Z. Lin, "Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code," in Proc. of the 19th ACM conference on Computer and communications security (CCS '12), 2012.

Digital Library

Cited By

Yang GLiu XTang C(2022)Horus: An Effective and Reliable Framework for Code-Reuse Exploits Detection in Data StreamElectronics10.3390/electronics1120336311:20(3363)Online publication date: 18-Oct-2022
https://doi.org/10.3390/electronics11203363
Li YMeng GXu JZhang CChen HXie XWang HLiu Y(2021)Vall-nut: Principled Anti-Grey box - Fuzzing2021 IEEE 32nd International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE52982.2021.00039(288-299)Online publication date: Oct-2021
https://doi.org/10.1109/ISSRE52982.2021.00039
USUI TIKUSE TOTSUKI YKAWAKOYA YIWAMURA MMIYOSHI JMATSUURA K(2020)ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP GadgetsIEICE Transactions on Information and Systems10.1587/transinf.2019ICP0016E103.D:7(1476-1492)Online publication date: 1-Jul-2020
https://doi.org/10.1587/transinf.2019ICP0016
Show More Cited By

Index Terms

Code shredding: byte-granular randomization of program layout for detecting code-reuse attacks

Recommendations

Code-reuse attacks: new frontiers and defenses
Marlin: Mitigating Code Reuse Attacks Using Code Randomization
Code-reuse attacks, such as return-oriented programming (ROP), are a class of buffer overflow attacks that repurpose existing executable code towards malicious purposes. These attacks bypass defenses against code injection attacks by chaining together ...
Defining code-injection attacks
POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages

This paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '12: Proceedings of the 28th Annual Computer Security Applications Conference

December 2012

464 pages

ISBN:9781450313124

DOI:10.1145/2420950

Conference Chair:
Robert H'obbes' Zakon
Zakon Group LLC

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Conference

ACSAC '12

Sponsor:

ACSA

ACSAC '12: Annual Computer Security Applications Conference

December 3 - 7, 2012

Florida, Orlando, USA

Acceptance Rates

ACSAC '12 Paper Acceptance Rate 44 of 231 submissions, 19%;

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
277
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 14 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Yang GLiu XTang C(2022)Horus: An Effective and Reliable Framework for Code-Reuse Exploits Detection in Data StreamElectronics10.3390/electronics1120336311:20(3363)Online publication date: 18-Oct-2022
https://doi.org/10.3390/electronics11203363
Li YMeng GXu JZhang CChen HXie XWang HLiu Y(2021)Vall-nut: Principled Anti-Grey box - Fuzzing2021 IEEE 32nd International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE52982.2021.00039(288-299)Online publication date: Oct-2021
https://doi.org/10.1109/ISSRE52982.2021.00039
USUI TIKUSE TOTSUKI YKAWAKOYA YIWAMURA MMIYOSHI JMATSUURA K(2020)ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP GadgetsIEICE Transactions on Information and Systems10.1587/transinf.2019ICP0016E103.D:7(1476-1492)Online publication date: 1-Jul-2020
https://doi.org/10.1587/transinf.2019ICP0016
Abrath BCoppens BBroeck JWyseur BCabutto AFalcarin PSutter B(2020)Code Renewability for Native Software ProtectionACM Transactions on Privacy and Security10.1145/340489123:4(1-31)Online publication date: 25-Aug-2020
https://dl.acm.org/doi/10.1145/3404891
Wang PZhang JWang SWu D(2020)Quantitative Assessment on the Limitations of Code Randomization for Legacy Binaries2020 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP48549.2020.00009(1-16)Online publication date: Sep-2020
https://doi.org/10.1109/EuroSP48549.2020.00009
Koo HChen YLu LKemerlis VPolychronakis M(2018)Compiler-Assisted Code Randomization2018 IEEE Symposium on Security and Privacy (SP)10.1109/SP.2018.00029(461-477)Online publication date: May-2018
https://doi.org/10.1109/SP.2018.00029
Nallur VClarke S(2018)Clonal plasticityAutonomous Agents and Multi-Agent Systems10.1007/s10458-017-9380-x32:2(275-311)Online publication date: 1-Mar-2018
https://dl.acm.org/doi/10.1007/s10458-017-9380-x
Lundquist GMohan VHamlen KGates CBöhme REgelman SMannan M(2016)Searching for software diversityProceedings of the 2016 New Security Paradigms Workshop10.1145/3011883.3011891(80-91)Online publication date: 26-Sep-2016
https://dl.acm.org/doi/10.1145/3011883.3011891
Venkat AShamasunder SShacham HTullsen D(2016)HIPStRACM SIGARCH Computer Architecture News10.1145/2980024.287240844:2(727-741)Online publication date: 25-Mar-2016
https://dl.acm.org/doi/10.1145/2980024.2872408
Venkat AShamasunder SShacham HTullsen D(2016)HIPStRACM SIGOPS Operating Systems Review10.1145/2954680.287240850:2(727-741)Online publication date: 25-Mar-2016
https://doi.org/10.1145/2954680.2872408
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents